Don't display a note that we can't see, fix CI, fix distinct fields on PostgresSQL DB

2020-04-10 00:02:22 +02:00 · 2020-04-10 00:02:22 +02:00 · 751147f254
parent bac81cd13e
commit 751147f254
8 changed files with 48 additions and 26 deletions
--- a/apps/activity/views.py
+++ b/apps/activity/views.py
@ -3,6 +3,7 @@
 from datetime import datetime, timezone
 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import F, Q
@ -45,8 +46,8 @@ class ActivityListView(ProtectQuerysetMixin, LoginRequiredMixin, SingleTableView
        context['title'] = _("Activities")
        upcoming_activities = Activity.objects.filter(date_end__gt=datetime.now())
-        context['upcoming'] = ActivityTable(data=upcoming_activities
+        context['upcoming'] = ActivityTable(data=upcoming_activities.filter(
-                                        .filter(PermissionBackend.filter_queryset(self.request.user, Activity, "view")))
+            PermissionBackend.filter_queryset(self.request.user, Activity, "view")))
        return context
@ -138,8 +139,14 @@ class ActivityEntryView(LoginRequiredMixin, TemplateView):
                    | Q(note__noteuser__user__last_name__regex=pattern)
                    | Q(name__regex=pattern)
                    | Q(normalized_name__regex=Alias.normalize(pattern)))) \
-            .filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view"))\
+            .filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view"))
-            .distinct()[:20]
+        if settings.DATABASES[note_qs.db]["ENGINE"] == 'django.db.backends.postgresql_psycopg2':
            note_qs = note_qs.distinct('note__pk')[:20]
        else:
            # SQLite doesn't support distinct fields. For compatibility reason (in dev mode), the note list will only
            # have distinct aliases rather than distinct notes with a SQLite DB, but it can fill the result page.
            # In production mode, please use PostgreSQL.
            note_qs = note_qs.distinct()[:20]
        for note in note_qs:
            note.type = "Adhérent"
            note.activity = activity
--- a/apps/note/api/serializers.py
+++ b/apps/note/api/serializers.py
@ -3,6 +3,8 @@
 from rest_framework import serializers
 from rest_polymorphic.serializers import PolymorphicSerializer
 from note_kfet.middlewares import get_current_authenticated_user
 from permission.backends import PermissionBackend
 from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias
 from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction, TemplateCategory, \
@ -96,19 +98,23 @@ class NotePolymorphicSerializer(PolymorphicSerializer):
    class Meta:
        model = Note
 class ConsumerSerializer(serializers.ModelSerializer):
    """
    REST API Nested Serializer for Consumers.
    return Alias, and the note Associated to it in
    """
-    note = NotePolymorphicSerializer()
+    note = serializers.SerializerMethodField()
    class Meta:
        model = Alias
        fields = '__all__'
-    @staticmethod
+    def get_note(self, obj):
-    def setup_eager_loading(queryset):
+        if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", obj.note):
-        queryset = queryset.select_related('note')
+            print(obj.pk)
            return NotePolymorphicSerializer().to_representation(obj.note)
        return dict(id=obj.id)
 class TemplateCategorySerializer(serializers.ModelSerializer):
--- a/apps/note/api/views.py
+++ b/apps/note/api/views.py
@ -89,6 +89,7 @@ class AliasViewSet(ReadProtectedModelViewSet):
        return queryset
 class ConsumerViewSet(ReadOnlyProtectedModelViewSet):
    queryset = Alias.objects.all()
    serializer_class = ConsumerSerializer
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@ -8,6 +8,7 @@ from django.contrib.auth.models import User, AnonymousUser
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import Q, F
 from note.models import Note, NoteUser, NoteClub, NoteSpecial
 from note_kfet import settings
 from note_kfet.middlewares import get_current_session
 from member.models import Membership, Club
@ -36,14 +37,21 @@ class PermissionBackend(ModelBackend):
            # Unauthenticated users have no permissions
            return Permission.objects.none()
-        return Permission.objects.annotate(club=F("rolepermissions__role__membership__club")) \
+        perms = Permission.objects.annotate(club=F("rolepermissions__role__membership__club")) \
            .filter(
                rolepermissions__role__membership__user=user,
                rolepermissions__role__membership__date_start__lte=datetime.date.today(),
                rolepermissions__role__membership__date_end__gte=datetime.date.today(),
                type=t,
-                mask__rank__lte=get_current_session().get("permission_mask", 0),
+                mask__rank__lte=get_current_session().get("permission_mask", 42),
-        ).distinct()
+        )
        if settings.DATABASES[perms.db]["ENGINE"] == 'django.db.backends.postgresql_psycopg2':
            # We want one permission per club, and per permission type.
            # SQLite does not support this kind of filter, that's why we don't filter the permissions with this
            # kind of DB. This only increases performances (we can check multiple times the same permission)
            # but don't have any semantic influence.
            perms = perms.distinct('club', 'pk')
        return perms
    @staticmethod
    def permissions(user, model, type):
@ -95,7 +103,7 @@ class PermissionBackend(ModelBackend):
            # Anonymous users can't do anything
            return Q(pk=-1)
-        if user.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
+        if user.is_superuser and get_current_session().get("permission_mask", 42) >= 42:
            # Superusers have all rights
            return Q()
@ -129,9 +137,9 @@ class PermissionBackend(ModelBackend):
        sess = get_current_session()
        if sess is not None and sess.session_key is None:
-            return Permission.objects.none()
+            return False
-        if user_obj.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
+        if user_obj.is_superuser and get_current_session().get("permission_mask", 42) >= 42:
            return True
        if obj is None:
--- a/apps/treasury/views.py
+++ b/apps/treasury/views.py
@ -203,9 +203,9 @@ class RemittanceCreateView(ProtectQuerysetMixin, LoginRequiredMixin, CreateView)
    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
-        context["table"] = RemittanceTable(data=Remittance.objects
+        context["table"] = RemittanceTable(
-                                       .filter(PermissionBackend.filter_queryset(self.request.user, Remittance, "view"))
+            data=Remittance.objects.filter(
-                                       .all())
+                PermissionBackend.filter_queryset(self.request.user, Remittance, "view")).all())
        context["special_transactions"] = SpecialTransactionTable(data=SpecialTransaction.objects.none())
        return context
--- a/static/js/base.js
+++ b/static/js/base.js
@ -119,7 +119,7 @@ function displayNote(note, alias, user_note_field=null, profile_pic_field=null)
        note.display_image = '/media/pic/default.png';
    }
    let img = note.display_image;
-    if (alias !== note.name)
+    if (alias !== note.name && note.name)
        alias += " (aka. " + note.name + ")";
    if (user_note_field !== null)